Covering Your Ads® Bloghttps://www.coveringyourads.com
Mon, 30 Oct 2017 22:25:12 +0000en-UShourly1https://wordpress.org/?v=4.7.8Subscribe with My Yahoo!Subscribe with NewsGatorSubscribe with My AOLSubscribe with BloglinesSubscribe with NetvibesSubscribe with GoogleSubscribe with PageflakesBehavioral Advertising Company That Dropped “Zombie” Cookies Can’t Use Verizon’s Arbitration Clause To Avoid Class Action Lawsuithttp://feeds.lexblog.com/~r/CoveringYourAds/~3/lBHWkPoDcco/
https://www.coveringyourads.com/2017/10/articles/class-action-law/behavioral-advertising/#respondMon, 30 Oct 2017 19:27:52 +0000http://www.coveringyourads.com/?p=1747The 9th Circuit Court of Appeals ruled that a non-party online behavioral advertising firm could not benefit from the arbitration clause in the agreement between Verizon and its customers because it was not a party to that agreement. In April 2015, Anthony Henson and William Cintron filed a class action lawsuit against online behavioral advertising...… Continue Reading

]]>The 9th Circuit Court of Appeals ruled that a non-party online behavioral advertising firm could not benefit from the arbitration clause in the agreement between Verizon and its customers because it was not a party to that agreement.

In April 2015, Anthony Henson and William Cintron filed a class action lawsuit against online behavioral advertising firm Turn, Inc. in the Northern District of California on behalf of all New York Verizon Wireless subscribers.

The plaintiffs alleged that Turn dropped undeletable “zombie” cookies to Verizon subscribers’ devices to collect valuable location, web browsing, and usage data about them. “Zombie” cookies are bits of code that collect data about users and regenerate even if a user tries to delete them from his or her device. In 2016, the FCC settled with Verizon for using these same “zombie” cookies. Under the terms of the settlement, Verizon agreed to pay a fine of $1,350,000 and adopt a three-year compliance plan that, among other things, required FCC approval for engaging in any similar behavioral advertising programs.

Turn moved to compel arbitration based on the arbitration clause in Verizon’s agreement with each of its subscribers, even though Turn is not a party to that agreement. The district court granted the motion based on New York’s equitable estoppel doctrine and stayed the litigation.

In September 2017, a unanimous three judge panel of the 9th Circuit rejected the district court’s decision, ruling that Turn could not benefit from the arbitration clause in the agreement between Verizon and its subscribers because Turn was not a party that agreement and, thus, the original class action may proceed.

“Turn attempts to invoke the arbitration agreement between Henson and Verizon to compel arbitration, but Henson and Turn do not have an arbitration agreement with each other,” judges wrote.

Analyzing Turn’s equitable estoppel argument, the 9th Circuit explained that under California law, Henson will be equitably estopped from avoiding arbitration in two circumstances:

when [Henson] must rely on the terms of the [Customer Agreement] in asserting its claims against [Turn] or the claims are intimately founded in and intertwined with the [Customer Agreement], and

when [Henson] alleges substantially interdependent and concerted misconduct by [Turn] and [Verizon] and the allegations of interdependent misconduct are founded in or intimately connected with the obligations of the [Customer Agreement].

The 9th Circuit concluded that (1) the plaintiff’s claims were not dependent upon the Verizon-Subscriber agreement and (2) the plaintiff did not allege that Verizon colluded with Turn. “On the contrary, Henson alleges that ‘Turn conducted its practices in secret’ and acted without Verizon’s knowledge, consent, or approval,” judges explained. Therefore, the district court committed error in holding that equitable estoppel applied to compel arbitration under the Verizon-Subscriber agreement.

]]>https://www.coveringyourads.com/2017/10/articles/class-action-law/behavioral-advertising/feed/0https://www.coveringyourads.com/2017/10/articles/class-action-law/behavioral-advertising/Deadline Approaching: Action Required by December 31 To Avoid Losing DMCA Safe Harbor Protectionhttp://feeds.lexblog.com/~r/CoveringYourAds/~3/VwWEhUmXcsw/
https://www.coveringyourads.com/2017/10/articles/copyright/deadline-dmca-safe-harbor/#respondWed, 25 Oct 2017 22:26:06 +0000http://www.coveringyourads.com/?p=1750The U.S. Copyright Office is making changes to the Digital Millennium Copyright Act (DMCA) safe harbor agent registration process. The changes impact both new online service providers as well as existing online service providers who have already registered an agent. Read on for details about what you will need to do. What do I need...… Continue Reading

]]>The U.S. Copyright Office is making changes to the Digital Millennium Copyright Act (DMCA) safe harbor agent registration process. The changes impact both new online service providers as well as existing online service providers who have already registered an agent. Read on for details about what you will need to do.

What do I need to know about the new DMCA agent registration system?

In order to qualify for DMCA safe harbor protections, you must designate an agent to receive notifications of claimed infringement under the DMCA using the Copyright Office’s new electronic system by December 31, 2017. Section 512 of the DMCA provides safe harbors to shield online service providers from certain claims for copyright infringement based on user generated content transmitted, cached, stored, referred, or linked on their website, app, or other online service.

What if you previously registered a DMCA agent using the old paper system prior to December 1, 2016?

You must re-register using the new electronic system by December 31, 2017.

What else is new?

Under the new DMCA regulations, DMCA agent registrations are no longer perpetual – you must renew your registration every three years.

Do you really need to worry about this?

Yes, you should take action if:

You previously registered a DMCA agent using the old paper system prior to December 1, 2016;

You have a DMCA take-down policy in the Terms of Service for your online service; and/or

Your online service stores, transmits, caches, refers, or links content generated by users, including websites that allow users to post, upload, or display text, photos, videos, audio, etc. If users can upload any content to your website, app, or other online service, you are an “online service provider” under the DMCA and should protect yourself with DMCA safe harbor.

Do you need to make any changes to your Terms of Service?

This is a good opportunity to review and update your Terms of Service, especially if you have not done so in the last two or three years.

The complaint, brought by the FTC’s Bureau of Consumer Protection (“BCP”), was against two online gaming influencers, Trevor Martin (a/k/a TmarTn), Thomas Cassell (a/k/a TheSyndicateProject, Tom Syndicate, and Syndicate), and their corporation CSGOLotto, Inc. (“CSGOLotto”). The BCP alleged that Martin and Cassell (1) did not disclose their ownership in CSGOLotto, (2) were paid to endorse the online platform’s gambling service and (3) asked other gaming influencers to promote the service in exchange for payments between $2,500 and $55,000 without making them disclose such payments. In response to the complaint, neither Martin, Cassell, nor CSGOLotto admitted or denied the allegations, but instead agreed to enter into an Agreement Containing Consent Order with the FTC (the “Order”). The Order prevents them from misrepresenting an endorser of the product or service as an independent user or ordinary consumer of same and requires them to clearly and conspicuously state if the endorsers have a material connection to the product or service.

The Order led to an increase in questions about necessary disclosures when influencers and endorsers receive a benefit for discussing a product or service. In response to these inquiries, the FTC updated its FAQ document “The FTC’s Endorsement Guides: What People Are Asking”. The FAQ document states that the guiding principle behind the regulations is that the relationship between the influencer and product must be clear to the audience. It also answers additional questions related to proper disclosures, like how often and where the disclosure needs to appear.

On September 20, the FTC hosted a live Q&A session on Twitter called “Social Media Influencers,” using the tag “#influencers101,” to respond to questions from twitter users. The FTC fielded a number of questions including: (1) Do the built-in disclosure tools on social media platforms meet FTC standards? (2) When are disclosures necessary? and (3) When does the U.S. law apply? The FTC articulated that it “is only concerned about endorsements made on behalf of a sponsoring advertiser.” A key factor in determining if a disclosure or notice is necessary is whether the influencer received a benefit (e.g. free product, paid trip, dollar amount) from the sponsor that may have changed or influenced his or her opinion of the product or services. If a benefit or potential benefit was received, a disclosure is necessary. If the influencer posts about a product or service that he or she “just happens to like”, a disclosure likely is not necessary.

What can we take away from the FTC’s recent actions, guidelines and discussions? Three themes: (1) The FTC is turning more of its attention to regulating nontraditional means of advertising in hopes of protecting social media platform users from misleading advertisements and endorsements, (2) the audience (i.e. ads directed at U.S. consumers) triggers these rules, not the location the endorser is posting from, and (3) disclosures must meet specific standards.

Disclosures should be (1) “clear and conspicuous” (i.e. hard to miss and understandable), (2) in “close proximity” to the endorsement, representation or advertisement, and (3) convey the “material connection” between the product and influencer.

During the Twitter session, the FTC further articulated what it means to be “clear and conspicuous” and provided some takeaways:

Put disclosures in the first three lines of the post;

Use hashtags like “#ad” or “#paid” at the beginning of the post and do not bury them amongst other links and hashtags. Hashtags like “ambassador” are not sufficient;

Superimpose a disclosure over your Snapchat or Instagram stories and keep in mind that followers have to have time to read the disclosure;

In a series of disappearing posts, you may only need a disclosure on the first post if the disclosure stands out and viewers have time to process the disclosure before the next post appears;

If your followers know you are a paid spokesperson, you do not need to include a disclosure every time you post about the product. However, if a “significant portion of your followers” are unaware of the relationship, you need to disclose it each time;

If you are hosting a giveaway funded by a third party, state that it is sponsored by a third party;

You do not need to list everything you received from a company to review a product. You can say you were paid or that you received an all-expense paid trip;

If you work for a brand and post about a product, disclose your connection to the brand, even if you were not paid an additional amount to post about the product;

If you are the brand, monitor and follow up with the influencer to make sure that he or she has followed your written advice about disclosure; and

Do not rely on built-in tools (e.g. “Paid” tag on Facebook or “Includes paid promotion” mark on YouTube) for disclosures.

]]>https://www.coveringyourads.com/2017/09/articles/advertising/paid-post-ftcadvice-influencers/feed/0https://www.coveringyourads.com/2017/09/articles/advertising/paid-post-ftcadvice-influencers/#CAUTION: FTC Ramps Up Enforcement of and Education on Social Media Influencer Disclosure Requirementshttp://feeds.lexblog.com/~r/CoveringYourAds/~3/_ZoJCtQH5wU/
https://www.coveringyourads.com/2017/09/articles/advertising/social-media-influencers-disclosure/#respondTue, 19 Sep 2017 19:44:29 +0000http://www.coveringyourads.com/?p=1740In 2017, being a “social media influencer” can mean big bucks. Companies are increasingly eager to pay individuals with large social media followings substantial sums to promote products in the hopes of reaching millions of potential customers quickly. And consequently, the Federal Trade Commission (the “FTC”) is paying attention more than ever. If you’re being...… Continue Reading

]]>In 2017, being a “social media influencer” can mean big bucks. Companies are increasingly eager to pay individuals with large social media followings substantial sums to promote products in the hopes of reaching millions of potential customers quickly. And consequently, the Federal Trade Commission (the “FTC”) is paying attention more than ever. If you’re being paid to promote a product on your Instagram account, the FTC wants you to let the world know. . . or else.

This recent increase in social media policing by the FTC follows its 2015 updates to its Guides Concerning Use of Endorsements and Testimonials in Advertising (the “Endorsement Guides”). The Endorsement Guidelines apply to both marketers and endorsers, and state that if there is a “material connection” between an endorser and the marketer of a product (i.e., a connection that might affect the weight or credibility that consumers give the endorsement), that connection should be clearly and conspicuously disclosed, unless the connection is already clear from the context of the communication containing the endorsement.

Earlier this month, in a symbolic action demonstrating the federal government’s increased efforts to combat misleading advertising in social media, the FTC settled its first complaint brought against individual social media influencers. In 2015, the FTC launched an investigation into the activities of Trevor “TmarTn” Martin, Thomas “Syndicate” Cassell, two widely followed online gaming influencers, and their company, CSGOLotto, Inc. (“CSGOLotto”), based on Martin and Cassell’s YouTube videos of themselves gambling with virtual currency on their online multi-player shooter game website while encouraging others to do the same. While the YouTube videos promoted CSGOLotto as a place to win big money quickly, the videos failed to disclose that Martin and Cassell were the company’s respective president and vice president. According to the FTC’s complaint, Martin, Cassell, and their company also had an “influencer program” and paid other gaming influencers between $2,500 and $55,000 to promote the CSGLotto website to their social media followers, and also barred those influencers from any negative reviews of the website. In addition to alleging that Martin and Cassell’s videos failed to disclose their ownership of and senior roles with the company, the FTC additionally alleged that the gaming influencers’ social media posts deceptively failed to adequately disclose that the influencers received compensation to promote the gambling service.

To settle the matter, Martin, Cassell, and CSGOLotto, Inc. entered into an agreement with the FTC (with a proposed order) whereby they are prohibited from misrepresenting that any endorser is an independent user or ordinary consumer of their gaming website, and also requiring clear and conspicuous disclosures of any unexpected material connections with endorsers.

The CSGOLotto settlement is but one of many recent actions the FTC has taken to increase enforcement of and compliance with its Endorsement Guidelines. For example, following up on its April 2017 sending of 90 educational letters to social media influencers and brands, informing them of the FTC’s “material connection” disclosure requirements, the FTC recently sent 21 of those same brands and influencers warning letters citing specific social media posts of concern, and requiring disclosure to the FTC of any material connections to the brands in the identified posts. The recent letters further asked the recipients to report what actions they will take to ensure compliance with the Endorsement Guidelines disclosure requirements.

Additionally, on September 7, the FTC also issued an updated version of its Endorsement Guides “What People are Asking” document, meant to provide guidance on frequently asked questions relating to the Endorsement Guidelines. The revised document includes additional information regarding disclosures of material connections by social media influencers.

This increase in enforcement and educational action by the FTC demonstrates a concerted effort to regulate conduct and protect consumers of a booming new media practice. Whether widespread compliance with the FTC’s requirements becomes the new normal remains to be seen, as thousands of new social influencers appear every day, many unaware of the Endorsement Guidelines. But certain applications such as Instagram are making compliance in disclosing paid posts even a little easier. In June, in response to the FTC’s warning to celebrity users, Instagram announced that it would provide influencers with the option to use a new “paid partnership with” sub-header on sponsored posts and stories to allow those influencers to easily tag the business with whom they have a paid relationship. Instagram also indicated in June that users should expect an official policy and enforcement approach by Instagram in the future regarding sponsored posts.

]]>Nevada, Oregon and New Jersey recently passed laws focusing on the collection of consumer information, serving as a reminder for advertisers, retailers, publishers and data collectors to keep up-to-date, accurate and compliant privacy and information collection policies.

Nevada: A Website Privacy Notice is Required

Nevada joined California and Delaware in explicitly requiring websites and online services to post an accessible privacy notice. The Nevada law, effective October 1, 2017, requires disclosure of the following:

The categories of “covered information” collected about consumers who visit the website or online service;

The categories of third parties with whom the operator may share such information;

A description of the process, if any, through which consumers may review and request changes to their information;

A description of the process by which operators will notify consumers of material changes to the notice;

Whether a third party may collect covered information about the consumer’s online activities over time and across different Internet websites or online services; and

The effective date of the notice.

“Covered Information” is defined to include a consumer’s name, address, email address, telephone number, social security number, an identifier that allows a specific person to be contacted physically or online, and any other information concerning a person maintained by the operator in combination with an identifier.

Takeaway: Website and online service operators (including Ad Techs and other data collectors) should review their privacy policies to ensure they are disclosing all collection of information that identifies, can be used to contact, or that is combined with information that identifies consumers. Website operators should also be sure that they are aware of, and are properly disclosing, any information that is shared with or collected by their third-party service providers and how that information is used.

Oregon expanded its definition of an “unlawful trade practice”, effective January 1, 2018, to expressly include using, disclosing, collecting, maintaining, deleting or disposing of information in a manner materially inconsistent with any statement or representation published on a business’s website or in a consumer agreement related to a consumer transaction.The new Oregon law is broader than other similar state laws, which limit their application to “personal information”. Oregon’s law, which does not define “information”, could apply to misrepresentations about any information collection practices, even if not related to consumer personal information.

Takeaway: Businesses should be mindful when drafting privacy policies, terms of use, sweepstakes and contest rules and other consumer-facing policies and statements not to misrepresent their practices with respect to any information collected, not just personal information.

New Jersey: ID Cards Can Only be Scanned for Limited Purposes (not Advertising)

New Jersey’s new Personal Information and Privacy Protection Act, effective October 1, 2017, limits the purposes for which a retail establishment may scan a person’s identification card to the following:

To verify the authenticity of the card or the identity of the person paying for goods or services with a method other than cash, returning an item or requesting a refund or exchange;

To verify the person’s age when providing age-restricted goods or services to the person;

To prevent fraud or other criminal activity using a fraud prevention service company or system if the person returns an item or requests a refund or exchange;

To prevent fraud or other criminal activity related to a credit transaction to open or manage a credit account;

To establish or maintain a contractual relationship;

To record, retain, or transmit information required by State or federal law;

To transmit information to a consumer reporting agency, financial institution, or debt collector to be used as permitted by the Fair Credit Reporting Act and the Fair Debt Collection Practices Act; or

To record, retain, or transmit information governed by the medical privacy and security rules of the Health Insurance Portability and Accountability Act.

The law also prohibits the retention of information scanned from an identification card for verification purposes and specifically prohibits the sharing of information scanned from an identification card with a third party for marketing, advertising or promotional activities, or any other purpose not specified above. The law does make an exception to permit a retailer’s automated return fraud system to share ID information with a third party for purposes of issuing a reward coupon to a loyal customer.

Takeaway: Retail establishments with locations in New Jersey should review their point-of-sale practices to ensure they are not scanning ID cards for marketing, advertising, promotional or any other purposes not permitted by the New Jersey law.

]]>https://www.coveringyourads.com/2017/07/articles/privacy/state-laws-privacy/feed/0https://www.coveringyourads.com/2017/07/articles/privacy/state-laws-privacy/A Deeper Dive Into the FTC Crack-Down on Social Media Influencers: What You Should Know Before You Posthttp://feeds.lexblog.com/~r/CoveringYourAds/~3/9w0siJnlrXo/
https://www.coveringyourads.com/2017/07/articles/ftc-endorsement-guidelines/ftc-social-media-influencers/#respondTue, 18 Jul 2017 16:29:25 +0000http://www.coveringyourads.com/?p=1727In our previous blog post, “Brands Beware!!! FTC Scrutinizing Influencer Posts for Compliance with Endorsement Guides,” we reported that the Federal Trade Commission (“FTC”) had issued more than 90 letters to brands and influencers, making it clear that it is paying close attention to influencer-based marketing. More recently, the letters have been made publicly available,...… Continue Reading

Several FTC letters were sent to influencers that could potentially be seen as having a personal relationship with a brand’s owner, such as Victoria Beckham with Dr. Harold Lancer of Lancer Skincare or Lucy Hale with Chiara Ferragni of Chiara Ferragni Collection. The agency reminded these celebrities that disclosure is required even in the absence of a business connection or if product is simply received free of charge.

Another group of letters addressed the inadequacy of disclosures consisting of influencers expressing gratitude to the brands. The FTC expressed concern that these types of disclosures fail to sufficiently explain the nature of the endorser’s relationship to the company. For example, Emily Ratajkowski’s “thanks @nipandfab” or Troian Bellisario’s “Thank you @understatedleather” were not considered appropriate disclosures.

Some influencers, known to the FTC for having existing business relationships with the brands, were singled out for lack of appropriate disclosures. For example, Ashley Benson was put on notice for her use of a hard to understand #sp hashtag in her endorsement post; Scott Disick, affiliated with Pearly Whites Australia, also was admonished for using an otherwise acceptable #ad hashtag, but placing at the end of his post; and Caroline Manzo, a paid spokesperson for HelloFresh, received a warning letter for using the #sp hashtag despite including a statement encouraging consumers to try her code ‘FreshCaroline.’

The FTC also indicated that using #[brandname]ambassador may be inappropriate, at least in certain contexts. Shay Mitchell, a brand ambassador for Biore, was cited for not validly disclosing her relationship with the brand even though she included “BioreAmbassador” in her post. The FTC did not provide an explanation as to why “BioreAmbassador” was insufficient, or whether it may be sufficient in other contexts (i.e., if she had included it more prominently, rather than at the end of the post, following emojis and a potentially confusing #TBT hashtag).

In other letters, the FTC made it clear that, while the #partner hashtag by itself is likely an insufficient disclosure, it may nonetheless be appropriate to use #[brand name]_partner. However, the agency also indicated that an abbreviated version of the brand name in that context may be insufficient due to consumers potentially not understanding the meaning of the abbreviation.

The FTC emphasized the importance of disclosing relationships, including in situations where the brands or products are owned by influencers and are “non-eponymous” (meaning that the brands are not named after the celebrities or influencers) because the public may not be aware of the relationship. For example, Sean Combs’ endorsement of AQUAhydrate water was flagged by the FTC as lacking disclosure, despite the fact that Mr. Combs is an owner and director of AQUAhydrate.

Takeaways:

All material connections should be disclosed, including:

Non-business relationships and friendships;

Free products;

Products owned by endorsers.

Disclosures should be clear and conspicuous, meaning:

Placed above the “more” button in an Instagram post;

Not hidden in a string of other hashtags and/or links.

Avoid vague and/or confusing disclosure hashtags:

Use #ad, #sponsored or #[brand name]_partner and place it at the top of the post;

]]>https://www.coveringyourads.com/2017/07/articles/ftc-endorsement-guidelines/ftc-social-media-influencers/feed/0https://www.coveringyourads.com/2017/07/articles/ftc-endorsement-guidelines/ftc-social-media-influencers/Political Polarization in a Programmatic Worldhttp://feeds.lexblog.com/~r/CoveringYourAds/~3/FW_Ki3hmACk/
https://www.coveringyourads.com/2017/07/articles/programmatic-advertising/programmatic-advertising/#respondThu, 13 Jul 2017 22:06:32 +0000http://www.coveringyourads.com/?p=1721In an era of heightened political awareness and division, brands are more and more sensitive to the nature of the content where their online ads are displayed. In an era of ever-increasing dominance of programmatic advertising via multiple levels of ad networks, real-time bidding, and behavioral targeting, brands have less and less control over where...… Continue Reading

]]>In an era of heightened political awareness and division, brands are more and more sensitive to the nature of the content where their online ads are displayed. In an era of ever-increasing dominance of programmatic advertising via multiple levels of ad networks, real-time bidding, and behavioral targeting, brands have less and less control over where their ads appear.

The tension between the desire for brands to have more control and their increasing lack of it came to light this spring in a series of news reports demonstrating that ads for major brands were appearing on YouTube, Facebook and other websites alongside various sorts of unsavory content such as pro-terrorism videos, racist content, and fake news. Many advertisers pulled their ads from YouTube and Google ad networks including AT&T, Coca-Cola and Verizon. Big brands have similarly taken measures, with mixed results, to prevent their ads from appearing through ad networks on controversial sites such as Breitbart.

For the most part, brands have embraced the premise behind programmatic advertising that ad dollars are better spent targeting specific users, rather than focusing on where those users happen to be when they are targeted. But recent studies suggest that brands have good reason to be concerned about where their ads appear since a brand’s association with inappropriate content does indeed have a negative effect on consumer perception of the brand.

In response to the original reports in March and the clamoring by advertisers for increased “brand safety”, Google immediately announced it would implement certain measures including: better policing of its content; providing marketers more information about where their ads appear; bolstering its technology that automatically screens content; and setting minimum view thresholds before a video channel can earn a share of revenue. On June 18th, Google announced additional technical and editorial measures to prevent terror-related video and content from appearing on its properties. The Wall Street Journal has reported that some of YouTube’s advertisers have returned, while others continue to stay away.

But what’s a brand to do? In print publishing and even in the prosaic banner-ad days when publishers sold display ads directly to advertisers, advertisers and publishers typically negotiated “adjacency” requirements providing, for example, contractual assurances that ads would not appear next to a competitor’s ads or next to certain types of content. The automated nature of programmatic advertising through numerous layers of DSPs and ad networks has eliminated for the most part the ability for an advertiser to negotiate these types of adjacency limitations. Instead brands and agencies should:

When buying through networks and exchanges, insist on white-listing (limiting ads only to preapproved channels and sites) rather than blacklisting (preventing ads from appearing on certain sites) in order to gain greater control of where ads appear;

Monitor ads or get someone to do it for you – leverage third party services that can track the appearance of ads;

Push for stronger direct reporting from networks and exchanges on the specific channels and sites where ads appear; and

Find out which other networks might be participating in your bidding marketplaces and where their inventory comes from.

Finally, “Brand Safety” may not be just an advertiser problem. As publishers surrender more of their ad inventory to automated networks, brand integrity could easily become a headache for them as well. While most publishers and many networks have advertising guidelines that govern the subject matter and content of ads (e.g., prohibitions against ads for guns and weapons or pornographic ads), in today’s reality, brands themselves may be toxic when they are singled out for politically objectionable actions regardless of what they are selling — think of the recent and lingering uproar in reaction to Chick-fil-A’s public stance against gay marriage. How soon will it be before a publisher is vilified for displaying a programmatically sold ad from an “undesirable” brand?

]]>https://www.coveringyourads.com/2017/07/articles/programmatic-advertising/programmatic-advertising/feed/0https://www.coveringyourads.com/2017/07/articles/programmatic-advertising/programmatic-advertising/Dish Network to Dish Out $341M for TCPA Violationshttp://feeds.lexblog.com/~r/CoveringYourAds/~3/X6YnXDyliwE/
https://www.coveringyourads.com/2017/06/articles/privacy/dish-network-tcpa-violations/#respondFri, 30 Jun 2017 16:44:47 +0000http://www.coveringyourads.com/?p=1719Two recent judgements against Dish Network LLC (“Dish”) for violations of the Telephone Consumer Protection Act (TCPA) and similar state and federal laws demonstrate the significant liability companies may face based on the actions of their third-party contractors. Dish has been ordered to pay a total of approximately $341 million in two separate federal court...… Continue Reading

]]>Two recent judgements against Dish Network LLC (“Dish”) for violations of the Telephone Consumer Protection Act (TCPA) and similar state and federal laws demonstrate the significant liability companies may face based on the actions of their third-party contractors. Dish has been ordered to pay a total of approximately $341 million in two separate federal court actions related to TCPA violations committed by its marketing service providers. Both cases underscore the importance of maintaining strong vendor oversight in the highly regulated telemarketing industry.

Overview of Telemarketing Laws

Various laws at the federal and state level have been enacted to protect consumers from unwanted and often aggressive telemarketing practices. The TCPA places detailed restrictions on telemarketing calls and text messages, artificial or prerecorded voice calls, autodialed calls, unsolicited fax advertisements and telephone solicitations. Among other things, the TCPA requires companies to maintain a company-specific “do-not-call” list of consumers who have asked not to be called. In addition to the TCPA, companies must comply with the Telemarketing Sales Rule (TSR), which, among other things, established the national Do Not Call Registry; both the TCPA and TSR generally prohibit making calls to numbers listed on the Do Not Call Registry. Applicable state law must also be observed, as most states have enacted legislation similar to the TCPA and TSA, including state-specific “do-not-call” registries in some instances.

Violations of these laws can be costly. The TCPA provides for statutory damages of $500 per call or text made in violation of the statute, and up to $1,500 per call or text for willful and knowing violations. In addition to civil lawsuits, regulatory enforcement actions may be brought by the Federal Communications Commission (FCC) and the Federal Trade Commission (FTC).

TCPA litigation has skyrocketed in recent years, with the issue of vicarious liability often at the focus. Courts generally apply federal common law principals of agency, weighing various factors in determining whether an agency relationship exists between a company and its third party marketers, including whether the company reviewed the content of the telemarketing call, whether it knew that the third party was violating the TCPA, and whether the company engaged the third party specifically for telemarketing. In a May 2012 declaratory ruling, the FCC held that liability may be determined “under a broad range of agency principles, including not only formal agency, but also principles of apparent authority and ratification.”

In the decisions discussed below, the courts focus on the fact that Dish’s vendor agreements gave Dish the right to exercise significant control over its vendors’ telemarketing activities, yet Dish failed to take any meaningful action to ensure vendors’ compliance with relevant laws – a failure exacerbated by the fact that Dish knew that its vendors had violated telemarketing laws in the past and were likely continuing to do so. Instead, Dish continued to reap the benefits of such vendors’ services, including increased sales volume and subscriber base.

Krakauer v. Dish Network LLC

In Krakauer v. Dish Network LLC, No. 1:14-cv-00333, M.D.N.C., class members claimed that they received phone calls from Satellite Systems Network (“SSN”) promoting Dish’s services, despite the fact that their numbers were listed on the Do-Not-Call Registry. The jury rejected Dish’s argument that it should not be held responsible for the actions of SSN, ultimately finding Dish liable for the approximately 51,000 calls that SSN made to numbers on the Do-Not-Call Registry. The jury awarded $400 per call, or approximately $20.5 million.

Last month, the court trebled the jury verdict for a total award of $61.5 million after finding that Dish “willfully and knowingly” violated the TCPA. The court noted a number of findings in support of this determination, including the following:

Dish knew that SSN had a history of TCPA violations and was calling numbers that it had not verified were not on the Do-Not-Call Registry, but continued to allow SSN to market Dish’s services.

When Dish received complaints from individuals called by SSN even though their number was listed on the Do-Not-Call Registry, Dish responded by disclaiming responsibility for the acts of its third-party marketers, and made no effort to determine whether SSN was complying with telemarketing laws.

While Dish had ample reason to believe that SSN was engaged in illegal telemarketing practices, Dish “repeatedly looked the other way” and failed to investigate or enforce SSN’s compliance, despite the fact that Dish had broad rights to monitor and control SSN’s telemarketing pursuant to Dish’s contract with SSN.

In 2009, Dish signed an agreement with forty-six attorneys general, pursuant to which Dish agreed to monitor its marketers’ compliance with federal do-not-call laws and to discipline marketers or terminate their services if they failed to take measures to prevent violations of the law. However, Dish failed to show that it undertook any efforts to comply with such agreement, other than sharing its terms with its marketers.

United States of America et al. v. Dish Network LLC

United States of America et al. v. Dish Network LLC, No. 3:09-cv-03073, C.D. Ill. was brought by the U.S. Department of Justice on behalf of the FTC, as well as the states of California, Illinois, North Carolina, and Ohio, for alleged violations of the TCPA, the TSR and state law. The complaint alleged that Dish, directly and via its third party marketers, violated such laws by calling numbers listed on the National Do Not Call Registry and contacting individuals who previously said they did not want to receive sales calls from Dish.

The court found Dish liable for millions of calls made by its vendors in violation of telemarketing laws, noting that “Dish’s reckless decision to use anyone with a call center without any vetting or meaningful supervision demonstrates a disregard for the consuming public.” The court ordered Dish to pay $280 million in statutory damages and penalties, $168 million of which was awarded to the federal government — the largest civil penalty ever obtained for a violation of the FTC Act — and the remainder of which was awarded to the states. The court also ordered Dish to hire a telemarketing-compliance expert to prepare a plan designed to ensure compliance with telemarketing laws and provide a copy of such plan to the court, and to maintain records relating to telemarketing compliance (including all outbound call records and all consumer complaints received by Dish) and provide copies of such records to the plaintiffs on a semi-annual basis for the next ten years.

Steps to Ensure Vendor Compliance

Both cases show how important it is for companies engaging third party telemarketing providers to have robust vendor management programs in place. As TCPA litigation continues to be on the rise, and likely to be further fueled by the huge sums awarded in the recent Dish decisions, companies should take appropriate steps to mitigate their risk, including the following:

Perform due diligence on all vendors performing telemarketing services on the company’s behalf.

Develop company policies outlining vendor compliance obligations, including use of the national Do Not Call Registry, and contractually require vendors to comply with such policies.

Ensure that all vendor agreements include an obligation to maintain detailed records evidencing the vendor’s compliance with telemarketing laws and company policy, and give the company broad rights to monitor the vendor’s telemarketing activities and audit such records.

Implement internal company policies detailing the actions employees must take with respect to overseeing vendors, monitoring compliance and responding to consumer complaints.

Promptly investigate consumer complaints in a systematic way to identify root causes of problems, and document all actions taken in response to complaints.

Devote sufficient resources to maintaining and enforcing the company’s internal and vendor compliance policies, including periodic review of such policies and retention of records evidencing steps taken to ensure compliance.

]]>https://www.coveringyourads.com/2017/06/articles/privacy/dish-network-tcpa-violations/feed/0https://www.coveringyourads.com/2017/06/articles/privacy/dish-network-tcpa-violations/WannaCry Ransomware Alerthttp://feeds.lexblog.com/~r/CoveringYourAds/~3/1AXZte5uCik/
https://www.coveringyourads.com/2017/05/articles/privacy/wannacry-ransomware/#respondFri, 19 May 2017 21:28:41 +0000http://www.coveringyourads.com/?p=1717This is not a drill. Companies and law enforcement agencies around the world have been left scrambling after the world’s most prolific ransomware attack hit over 500,000 computers in 150 countries over a span of only 4 days. The ransomware – called WannaCry, WCry, WannaCrypt, or WannaDecryptor – infects vulnerable computers and encrypts all of...… Continue Reading

Companies and law enforcement agencies around the world have been left scrambling after the world’s most prolific ransomware attack hit over 500,000 computers in 150 countries over a span of only 4 days. The ransomware – called WannaCry, WCry, WannaCrypt, or WannaDecryptor – infects vulnerable computers and encrypts all of the data. The owner or user of the computer is then faced with an ominous screen, displaying a countdown timer and demand that a ransom of $300 be paid in bitcoin before the owner can regain access to the encrypted data. The price demanded increases over time until the end of the countdown, when the files are permanently destroyed. To date, the total amount of ransom paid by companies is reported to be less than $60,000, indicating that companies are opting to let their files be destroyed and to rely instead on backups rather than pay the attackers. Nevertheless, the total disruption costs to businesses is expected to range from the hundreds of millions to the billions of dollars.

Last fall, we warned our clients that ransomware – a newly popular form of cyberattack – would require a different approach to cybersecurity and to incident recovery. The urgency of that warning is now clear, as the WannaCry attack is unprecedented in its size and in the speed with which it spread. While entities in North America appear to have suffered minimal damage thus far, and while the particular ransomware variant involved in last week’s incidents has been largely neutralized, even small changes made to the malware code could reactivate it and rapidly deploy a new series of attacks. We are once again urging our clients to proactively prepare, consult with cybersecurity experts, and develop comprehensive cyber incident response plans which contemplate a variety of possible attacks

What is ransomware?

Ransomware is malware that disables systems or encrypts data, critical system files and applications and demands a payment to re-enable or unlock them. There are two kinds of ransomware: “Locker,” which leaves data untouched but keeps owners from accessing it on their devices; and “Crypto-Ransomware” which leaves users with access to their computers but encrypts their files and applications; once the ransom is paid, the hackers send a decryption key.

How does ransomware get onto companies’ systems?

Ransomware may be downloaded in a variety of ways: via “phishing” schemes, in which employees are induced to click on harmful links or download harmful files; by downloading infected apps; or through compromised ads (known as “malvertising”) on mainstream sites. Hackers are increasingly sophisticated and creative in using a wide variety of means to introduce ransomware onto computers and mobile devices.

Unlike typical ransomware, there is no evidence that WannaCry is being distributed via phishing schemes, a spam campaign, or through compromised ads. Instead, WannaCry propagates through a self-spreading worm, a form of attack popularized more than a decade ago but rarely seen since.

How did the WannaCry attack spread?

WannaCry ransomware exploits a flaw in the Windows operating system. Networks of computers, are particularly vulnerable because the ransomware is spread through standard file sharing technology used by PCs. While Microsoft issued a patch for the flaw in March for currently supported operating systems, unsupported Microsoft Windows operating systems, including Windows XP – widely found in in many of the foreign countries hardest-hit by the WannaCry attack – continued to be at risk. Microsoft has since released free patches for its unsupported systems.

How do I protect my company from a ransomware attack?

Regardless of your operating system, you should install any and all available security updates and patches immediately.

If you are running an unsupported operating system – STOP! Upgrade all computers to a supported system immediately.

Never run unlicensed software on your system, as it will not receive the necessary patches or automatic updates.

Back up all of your critical applications and data – and test the backup systems to be sure they can be restored and work properly before you have an attack. Ensure backups are not connected to the computers and networks they are backing up.

Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.

Make sure your system includes robust firewalls and your Intrusion Detection/Prevention Systems that are up to date and able to receive updates and patches.

Whenever possible, keep data encrypted, whether in transit or stationary. While encryption will not prevent a ransomware attack, it will protect your data if attackers choose to export it or attempt to use it for financial gain.

Restrict access to sensitive files and ensure personnel only can access the data necessary to perform their jobs.

Ensure all employees are aware of the threats and methods of attack and are following sound cybersecurity policies:

Train – and remind — your employees about the dangers of “phishing” attacks and how to report any attempted attacks

Ensure employees verify the identity of the sender of any links and attachments

Keep a copy of your emergency response plan – including phone numbers of key contacts – somewhere other than on your company’s systems.

What should I do if my company suffers a ransomware attack?

Involve your outside counsel so that your decision-making process and the direction of any investigation can be protected by the attorney-client privilege. You then have several options:

Pay the ransom. The FBI does not support paying ransom to the adversary, especially as there is ultimately no guarantee that system access will be restored;

If you have backups and redundancies, you may be able to restore your systems without paying the ransom;

Call in a security/forensic company for assistance in freeing your systems;

Alert a local FBI field office to report the event and request assistance.

If I choose to pay the ransom, how and where do I get bitcoin? How long does it take?

Do not follow the links suggested by the ransomware without the assistance of your IT department as they may lead to software that will further compromise your computers and files. In most cases, the ransomware will require payment by bitcoin because a payment by bitcoin cannot be reversed, and because it will be very difficult if not impossible for anyone to identify the recipient. If your law firm has experience responding to ransomware, then your law firm can help you with the logistics of buying and sending bitcoin.

You will need to open an account with reputable bitcoin exchange and purchase sufficient bitcoin. The exchange company will need you to link your bank account with the bitcoin wallet provided to you so that you can make an ACH transfer of dollars to your account. The exchange company will need to identify you to comply with its AntiMoney Laundering and Know Your Customer (AML/KYC) compliance procedures. How much information the company will need and how long this will take depends on the amount of the bitcoin you need to purchase, and the speed of the exchange company’s intake process. The exchange company will often require two or three days to pass after the ACH payment is initiated before exchanging the dollars sent for bitcoin. Once the bitcoin is in the bitcoin wallet associated with your account, you will be able to send it to any other wallet, anywhere in the world, nearly instantaneously. If you accidently send it to an address other than the ransomware perpetrator’s, you will have no way to reverse or recover the bitcoin.

Will my cyber insurance cover a ransomware attack?

In general, the largest expenses associated with a ransomware attack arise out of loss of operations. Cyber-insurance may cover the business interruption, although ransom amounts to date have generally been below most policies’ retention threshold. Also, the vector by which the ransomware entered your system may affect how your cyber-insurance treats the attack. Before relying or counting on its cyber-insurance, a company should have a clear understanding what type of events are expressly covered or excluded.

Remember, the side effects of the WannaCry attack are likely far from over. Companies must be vigilant, keeping an eye out for social engineering schemes (i.e. where an individual calls a business claiming to be from Microsoft and offering support if given access to its servers) and variant ransomware created by other attackers and used to exploit the WannaCry attack separately and independently.

]]>Khloe Kardashian is the latest Kardashian to find herself in court over her activities on social media. The youngest Kardashian sister was sued by a photographer for copyright infringement in Xposure Photos UK Ltd v Khloe Kardashian et al, 2:17-CV-3088 (C.D. Cal). Xposure alleges that Ms. Kardashian posted a photo it owned on her Instagram without permission and without the copyright attribution notice included on the original. For brands, celebrities, influencers, and others who use social media, particularly to make money or for promotion, this serves as a good reminder that all rights in any photographs, videos, and other content they post on social media must be cleared.

Many people assume based on the community nature of social media that they can post anything and are less careful than they would be on a website or other media. It’s just for fun and interest, right? But as the Xposure complaint points out, social media is commercial use and can reach extensive audiences. The complaint alleges that “Kardashian’s Instagram post made the Photograph immediately available to her nearly 67 million followers and others, consumers of entertainment news—and especially news and images of Kardashian herself, as evidenced by their status as followers of Kardashian—who would otherwise be interested in viewing licensed versions of the Photograph in the magazines and newspapers that are plaintiff’s customers.”

There are several layers of rights in any creative work, such as a photograph—including a selfie. The creator, artist, or photographer has rights in the image or work itself under copyright law. Any people appearing in the work have rights to their image under privacy laws. This is true even (or especially) for public figures and for the deceased. There could be protected trademarks appearing in the background or on clothing. In order to post a photograph or video that includes any of these rights, a license or waiver must be granted.

With the breadth and depth of content posted and the huge audience on social media, the rules that apply to content in other media apply just as much, if not more. Brands and their legal departments should work with their marketing and communications teams to develop a social media policy that governs the rules of the road on social media and avoids these common pitfalls. And always remember:

Clear all publicity rights

Clear all copyrights and trademarks and do not remove any copyright or trademark notices